Update to upstream 4.4.3
This commit is contained in:
Pavel Vomacka
Petr Vobornik
parent
d3389e055a
commit
f573742499
1
.gitignore
vendored
1
.gitignore
vendored
@ -46,3 +46,4 @@
|
||||
/freeipa-4.3.2.tar.gz
|
||||
/freeipa-4.4.1.tar.gz
|
||||
/freeipa-4.4.2.tar.gz
|
||||
/freeipa-4.4.3.tar.gz
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
From cca4741602bf60fbc0589116113dd95646fa2888 Mon Sep 17 00:00:00 2001
|
||||
From: Fraser Tweedale <ftweedal@redhat.com>
|
||||
Date: Tue, 15 Nov 2016 14:02:54 +1000
|
||||
Subject: [PATCH] certprofile-mod: correctly authorise config update
|
||||
|
||||
Certificate profiles consist of an FreeIPA object, and a
|
||||
corresponding Dogtag configuration object. When updating profile
|
||||
configuration, changes to the Dogtag configuration are not properly
|
||||
authorised, allowing unprivileged operators to modify (but not
|
||||
create or delete) profiles. This could result in issuance of
|
||||
certificates with fraudulent subject naming information, improper
|
||||
key usage, or other badness.
|
||||
|
||||
Update certprofile-mod to ensure that the operator has permission to
|
||||
modify FreeIPA certprofile objects before modifying the Dogtag
|
||||
configuration.
|
||||
---
|
||||
ipaserver/plugins/certprofile.py | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
|
||||
index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644
|
||||
--- a/ipaserver/plugins/certprofile.py
|
||||
+++ b/ipaserver/plugins/certprofile.py
|
||||
@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
|
||||
raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
|
||||
reason=_('Certificate profiles cannot be renamed'))
|
||||
if 'file' in options:
|
||||
+ # ensure operator has permission to update a certprofile
|
||||
+ if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
|
||||
+ raise errors.ACIError(info=_(
|
||||
+ "Insufficient privilege to modify a certificate profile."))
|
||||
+
|
||||
with self.api.Backend.ra_certprofile as profile_api:
|
||||
profile_api.disable_profile(keys[0])
|
||||
try:
|
||||
--
|
||||
2.7.4
|
||||
@ -1,188 +0,0 @@
|
||||
From bcb06e1d67b3aefad33db387ce7a7700a224f30c Mon Sep 17 00:00:00 2001
|
||||
From: David Kupka <dkupka@redhat.com>
|
||||
Date: Thu, 29 Sep 2016 15:59:34 +0200
|
||||
Subject: [PATCH] password policy: Add explicit default password policy for
|
||||
hosts and services
|
||||
|
||||
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
|
||||
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
|
||||
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
|
||||
CoS so no attributes are really added.
|
||||
|
||||
The default policies effectively disable any enforcement or lockout for hosts
|
||||
and services. Since hosts and services use keytabs passwords enforcements
|
||||
doesn't make much sense. Also the lockout policy could be used for easy and
|
||||
cheap DoS.
|
||||
---
|
||||
install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
|
||||
install/updates/Makefile.am | 1 +
|
||||
ipaserver/install/service.py | 1 +
|
||||
3 files changed, 135 insertions(+)
|
||||
create mode 100644 install/updates/20-default_password_policy.update
|
||||
|
||||
diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
|
||||
--- /dev/null
|
||||
+++ b/install/updates/20-default_password_policy.update
|
||||
@@ -0,0 +1,133 @@
|
||||
+# Default password policies for hosts, services and Kerberos services
|
||||
+# Setting all attributes to zero effectively disables any password policy
|
||||
+# We can do this because hosts and services uses keytabs instead of passwords
|
||||
+
|
||||
+# hosts
|
||||
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
||||
+default:objectClass: krbPwdPolicy
|
||||
+default:objectClass: nsContainer
|
||||
+default:objectClass: top
|
||||
+default:cn: Default Host Password Policy
|
||||
+default:krbMinPwdLife: 0
|
||||
+default:krbPwdMinDiffChars: 0
|
||||
+default:krbPwdMinLength: 0
|
||||
+default:krbPwdHistoryLength: 0
|
||||
+default:krbMaxPwdLife: 0
|
||||
+default:krbPwdMaxFailure: 0
|
||||
+default:krbPwdFailureCountInterval: 0
|
||||
+default:krbPwdLockoutDuration: 0
|
||||
+
|
||||
+# services
|
||||
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
|
||||
+default:objectClass: krbPwdPolicy
|
||||
+default:objectClass: nsContainer
|
||||
+default:objectClass: top
|
||||
+default:cn: Default Service Password Policy
|
||||
+default:krbMinPwdLife: 0
|
||||
+default:krbPwdMinDiffChars: 0
|
||||
+default:krbPwdMinLength: 0
|
||||
+default:krbPwdHistoryLength: 0
|
||||
+default:krbMaxPwdLife: 0
|
||||
+default:krbPwdMaxFailure: 0
|
||||
+default:krbPwdFailureCountInterval: 0
|
||||
+default:krbPwdLockoutDuration: 0
|
||||
+
|
||||
+# kerberos policy container
|
||||
+# this is necessary to avoid mixing the Kerberos sevice password policy
|
||||
+# with group-membership based user password policies
|
||||
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
+default:objectClass: nsContainer
|
||||
+default:objectClass: top
|
||||
+default:cn: Kerberos Service Password Policy
|
||||
+
|
||||
+# kerberos services
|
||||
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
+default:objectClass: krbPwdPolicy
|
||||
+default:objectClass: nsContainer
|
||||
+default:objectClass: top
|
||||
+default:cn: Default Kerberos Service Password Policy
|
||||
+default:krbMinPwdLife: 0
|
||||
+default:krbPwdMinDiffChars: 0
|
||||
+default:krbPwdMinLength: 0
|
||||
+default:krbPwdHistoryLength: 0
|
||||
+default:krbMaxPwdLife: 0
|
||||
+default:krbPwdMaxFailure: 0
|
||||
+default:krbPwdFailureCountInterval: 0
|
||||
+default:krbPwdLockoutDuration: 0
|
||||
+
|
||||
+# default password policies for hosts, services and kerberos services
|
||||
+# cosPriority is set intentionally to higher number than FreeIPA API allows
|
||||
+# to set to ensure that these password policies have always lower priority
|
||||
+# than any defined by user.
|
||||
+
|
||||
+# hosts
|
||||
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
||||
+default:objectclass: top
|
||||
+default:objectclass: nsContainer
|
||||
+default:cn: cosTemplates
|
||||
+
|
||||
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
||||
+default:objectclass: top
|
||||
+default:objectclass: cosTemplate
|
||||
+default:objectclass: extensibleObject
|
||||
+default:objectclass: krbContainer
|
||||
+default:cn: Default Password Policy
|
||||
+default:cosPriority: 10000000000
|
||||
+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
||||
+
|
||||
+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
|
||||
+default:description: Default Password Policy for Hosts
|
||||
+default:objectClass: top
|
||||
+default:objectClass: ldapsubentry
|
||||
+default:objectClass: cosSuperDefinition
|
||||
+default:objectClass: cosPointerDefinition
|
||||
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
||||
+default:cosAttribute: krbPwdPolicyReference default
|
||||
+
|
||||
+# services
|
||||
+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
||||
+default:objectclass: top
|
||||
+default:objectclass: nsContainer
|
||||
+default:cn: cosTemplates
|
||||
+
|
||||
+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
||||
+default:objectclass: top
|
||||
+default:objectclass: cosTemplate
|
||||
+default:objectclass: extensibleObject
|
||||
+default:objectclass: krbContainer
|
||||
+default:cn: Default Password Policy
|
||||
+default:cosPriority: 10000000000
|
||||
+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
|
||||
+
|
||||
+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
|
||||
+default:description: Default Password Policy for Services
|
||||
+default:objectClass: top
|
||||
+default:objectClass: ldapsubentry
|
||||
+default:objectClass: cosSuperDefinition
|
||||
+default:objectClass: cosPointerDefinition
|
||||
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
||||
+default:cosAttribute: krbPwdPolicyReference default
|
||||
+
|
||||
+# kerberos services
|
||||
+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
+default:objectclass: top
|
||||
+default:objectclass: nsContainer
|
||||
+default:cn: cosTemplates
|
||||
+
|
||||
+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
+default:objectclass: top
|
||||
+default:objectclass: cosTemplate
|
||||
+default:objectclass: extensibleObject
|
||||
+default:objectclass: krbContainer
|
||||
+default:cn: Default Password Policy
|
||||
+default:cosPriority: 10000000000
|
||||
+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
+
|
||||
+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
+default:description: Default Password Policy for Kerberos Services
|
||||
+default:objectClass: top
|
||||
+default:objectClass: ldapsubentry
|
||||
+default:objectClass: cosSuperDefinition
|
||||
+default:objectClass: cosPointerDefinition
|
||||
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
+default:cosAttribute: krbPwdPolicyReference default
|
||||
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
||||
index a80256f029f5547b1bc5c2226c9a0a0dd45432f4..e8a55e1734eb9979b34ddb96783902926cc975c0 100644
|
||||
--- a/install/updates/Makefile.am
|
||||
+++ b/install/updates/Makefile.am
|
||||
@@ -24,6 +24,7 @@ app_DATA = \
|
||||
20-winsync_index.update \
|
||||
20-idoverride_index.update \
|
||||
20-uuid.update \
|
||||
+ 20-default_password_policy.update \
|
||||
21-replicas_container.update \
|
||||
21-ca_renewal_container.update \
|
||||
21-certstore_container.update \
|
||||
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
|
||||
index 4cc7012f62c5945839af694e8d8e74179d998b12..6451f92f0d3d768cf4619e8b0e3f52e190b628c8 100644
|
||||
--- a/ipaserver/install/service.py
|
||||
+++ b/ipaserver/install/service.py
|
||||
@@ -245,6 +245,7 @@ class Service(object):
|
||||
# There is no service in the wrong location, nothing to do.
|
||||
# This can happen when installing a replica
|
||||
return None
|
||||
+ entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr
|
||||
newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
|
||||
hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
|
||||
api.Backend.ldap2.delete_entry(entry)
|
||||
--
|
||||
2.7.4
|
||||
|
||||
13
freeipa.spec
13
freeipa.spec
@ -32,13 +32,13 @@
|
||||
%global platform_module fedora
|
||||
%endif
|
||||
|
||||
%global VERSION 4.4.2
|
||||
%global VERSION 4.4.3
|
||||
|
||||
%define _hardened_build 1
|
||||
|
||||
Name: freeipa
|
||||
Version: %{VERSION}
|
||||
Release: 4%{?dist}
|
||||
Release: 1%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
Group: System Environment/Base
|
||||
@ -49,8 +49,6 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
|
||||
Patch0002: 0002-Support-DAL-version-5-and-version-6.patch
|
||||
Patch0003: 0003-certprofile-mod-correctly-authorise-config-update.patch
|
||||
Patch0004: 0004-password-policy-Add-explicit-default-password-policy.patch
|
||||
|
||||
%if ! %{ONLY_CLIENT}
|
||||
BuildRequires: 389-ds-base-devel >= 1.3.5.6
|
||||
@ -147,7 +145,7 @@ Requires: %{name}-server-common = %{version}-%{release}
|
||||
Requires: %{name}-client = %{version}-%{release}
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
Requires: python2-ipaserver = %{version}-%{release}
|
||||
Requires: 389-ds-base >= 1.3.5.6
|
||||
Requires: 389-ds-base >= 1.3.5.14
|
||||
Requires: openldap-clients > 2.4.35-4
|
||||
Requires: nss >= 3.14.3-12.0
|
||||
Requires: nss-tools >= 3.14.3-12.0
|
||||
@ -179,7 +177,7 @@ Requires: zip
|
||||
Requires: policycoreutils >= 2.1.12-5
|
||||
Requires: tar
|
||||
Requires(pre): certmonger >= 0.78
|
||||
Requires(pre): 389-ds-base >= 1.3.5.6
|
||||
Requires(pre): 389-ds-base >= 1.3.5.14
|
||||
Requires: fontawesome-fonts
|
||||
Requires: open-sans-fonts
|
||||
Requires: openssl
|
||||
@ -1478,6 +1476,9 @@ fi
|
||||
%endif # ONLY_CLIENT
|
||||
|
||||
%changelog
|
||||
* Fri Dec 16 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.3-1
|
||||
- Update to upstream 4.4.3 - see http://www.freeipa.org/page/Releases/4.4.3
|
||||
|
||||
* Wed Dec 14 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.2-4
|
||||
- Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
|
||||
- Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services
|
||||
|
||||
Loading…
Reference in New Issue
Block a user